https://community.cisco.com/t5/network-security/fwsm-access-inside-from-outside-host/m-p/2309949#M342564 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You wont be able to connect to a remote interface. What I mean is that you/user can only connect to an interface behind which that user is located. User behind <STRONG>"inside"</STRONG> can connect to <STRONG>"inside"</STRONG> and user behind <STRONG>"outside"</STRONG> can connect to<STRONG> "outside"</STRONG> interface.</P><P></P><P>Especially in the case of FWSM to my understanding its no possible to achieve this in any way. Atleast I have not seen a way but then again I havent had to look for one.</P><P></P><P>In the newer firewall models its possible to connect to a remote interface (from the users perspective) if the connections is coming through a VPN connection. But this doesnt really apply to FWSM.</P><P></P><P>Also regarding the Syslog. I think the Cisco firewalls will always source traffic only from the interface IP addresses for such typical things as Syslog. So I dont think you can modify the source IP address unless you change the interface IP address that is sending the Syslog.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 24 Sep 2013 12:16:06 GMT Jouni Forss 2013-09-24T12:16:06Z https://community.cisco.com/t5/network-security/fwsm-access-inside-from-outside-host/m-p/2309948#M342563 <P>I have the following question : </P><P></P><P> <SPAN style="font-size: 10pt;">I have 2 FWSM's in failover with an outside and inside interface.</SPAN></P><P>I am trying to SSH and Ping from the outside network to the inside interface of the FWSM.</P><P>This doesn't work.</P><P></P><P> <SPAN style="font-size: 10pt;">Situation is like this : </SPAN></P><P></P><P> <SPAN style="font-size: 10pt;">Workstation(10.32.7.10)-----ROUTER-------10.0.5.34-MSFC-10.0.7.1---------10.0.7.254(outside)-FWSM-10.150.2.1(inside)</SPAN></P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>I have this configuration</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>interface Vlan9</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.0.7.254 255.255.255.0 standby 10.0.7.253</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>interface Vlan402</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.150.2.1 255.255.255.0 standby 10.150.2.10</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P></P><P> <SPAN style="font-size: 10pt;">management-access inside</SPAN></P><P>ssh 10.32.7.0 255.255.255.0 outside</P><P>ssh 10.32.7.0 255.255.255.0 inside</P><P></P><P><SPAN style="font-size: 10pt;">access-list outside_in extended permit icmp any any</SPAN></P><P>access-list outside_in extended permit ip any any</P><P>access-group outside_in in interface outside</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>access-list inside_in extended permit icmp any any</P><P>access-list inside_in extended permit ip any any</P><P>access-group inside_in in interface inside</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>no nat is involved.</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>SSH to the outside address works but not to the inside.</P><P>How can i realise this ?</P><P>Traffic destined to the inside network is working fine.</P><P></P><P></P><P>Also, i use a syslog for the FWSM. Is it possible to define the source ip address of the syslog messages ?</P><P>I want to define the syslog source address 10.0.7.254(outside) but the syslog server is on the inside.</P> Tue, 12 Mar 2019 02:42:45 GMT https://community.cisco.com/t5/network-security/fwsm-access-inside-from-outside-host/m-p/2309948#M342563 sebastianvandijk 2019-03-12T02:42:45Z https://community.cisco.com/t5/network-security/fwsm-access-inside-from-outside-host/m-p/2309949#M342564 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You wont be able to connect to a remote interface. What I mean is that you/user can only connect to an interface behind which that user is located. User behind <STRONG>"inside"</STRONG> can connect to <STRONG>"inside"</STRONG> and user behind <STRONG>"outside"</STRONG> can connect to<STRONG> "outside"</STRONG> interface.</P><P></P><P>Especially in the case of FWSM to my understanding its no possible to achieve this in any way. Atleast I have not seen a way but then again I havent had to look for one.</P><P></P><P>In the newer firewall models its possible to connect to a remote interface (from the users perspective) if the connections is coming through a VPN connection. But this doesnt really apply to FWSM.</P><P></P><P>Also regarding the Syslog. I think the Cisco firewalls will always source traffic only from the interface IP addresses for such typical things as Syslog. So I dont think you can modify the source IP address unless you change the interface IP address that is sending the Syslog.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 24 Sep 2013 12:16:06 GMT https://community.cisco.com/t5/network-security/fwsm-access-inside-from-outside-host/m-p/2309949#M342564 Jouni Forss 2013-09-24T12:16:06Z